ICSA-23-138-04 · Published 2023-05-22 · View on CISA ICS-CERT ↗

Johnson Controls OpenBlue Enterprise Manager Data Collector

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user.

CVEs (2)

CVE-2023-2024 CVE-2023-2025

Remediations

Johnson Controls recommends updating OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Users must contact Johnson Controls to obtain the update.
For more information, refer to Johnson Controls Product Security Advisory JCI-PSA-2023-04 v1

Affected Vendors

Johnson Controls Inc.

Affected Products (1)

Johnson Controls Inc. · OpenBlue Enterprise Manager Data Collector 3.2.5.75

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more